PHP Buffer Overflow(popen)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052284 漏洞类型
发布时间 2009-01-12 更新时间 2009-01-12
漏洞平台 N/A CVSS评分 N/A
 Apache 2.2.11/PHP 5.2.8 Buffer Overflow Exploit (popen func)

Type: Remote and Local

Requirements for exploit: popen() enabled.

By: e.wiZz!  Enes M;

PHP Popen() function overview:

Popen function in php opens a pipe to a process executed by forking the command given by command.
It was implementet since PHP 4 version.
     popen ( string $command_to_execute , string $mode )

Second argument is vulnerable to buffer overflow.Reason why i mentioned Apache here,is because
when we execute poc.php Apache HTTP server crash without any report in error log.You can test on WAMP too,on CLI or browser.

Tested on: PHP 5.2.8/4.2.1/4.2.0
           Apache 2.2.11


$handle = popen('/whatever/', $____buff);
echo $handle;